Fixed #8509: Cleaned up handling of test cookies in admin logins. Thanks to rajeshd for the report of a problem case.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@8509 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-24 06:06:09 +00:00 · 2008-08-24 06:34:18 +00:00
parent 74b3173fba
commit 27b0077a48
4 changed files with 36 additions and 3 deletions
--- a/tests/regressiontests/admin_views/tests.py
+++ b/tests/regressiontests/admin_views/tests.py
@@ -274,6 +274,15 @@ class AdminViewPermissionsTest(TestCase):
        self.failUnlessEqual(Article.objects.all().count(), 4)
        self.client.get('/test_admin/admin/logout/')

+        # 8509 - if a normal user is already logged in, it is possible
+        # to change user into the superuser without error
+        login = self.client.login(username='joepublic', password='secret')
+        # Check and make sure that if user expires, data still persists
+        self.client.get('/test_admin/admin/')
+        self.client.post('/test_admin/admin/', self.super_login)
+        # make sure the view removes test cookie
+        self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
+
    def testChangeView(self):
        """Change view should restrict access and allow users to edit items."""

@@ -506,6 +515,8 @@ class SecureViewTest(TestCase):
        self.assertRedirects(login, '/test_admin/admin/secure-view/')
        self.failIf(login.context)
        self.client.get('/test_admin/admin/logout/')
+        # make sure the view removes test cookie
+        self.failUnlessEqual(self.client.session.test_cookie_worked(), False)

        # Test if user enters e-mail address
        request = self.client.get('/test_admin/admin/secure-view/')
@@ -552,3 +563,23 @@ class SecureViewTest(TestCase):
        self.failUnlessEqual(login.status_code, 200)
        # Login.context is a list of context dicts we just need to check the first one.
        self.assert_(login.context[0].get('error_message'))
+
+        # Check and make sure that if user expires, data still persists
+        data = {'foo': 'bar'}
+        post = self.client.post('/test_admin/admin/secure-view/', data)
+        self.assertContains(post, 'Please log in again, because your session has expired.')
+        self.super_login['post_data'] = _encode_post_data(data)
+        post = self.client.post('/test_admin/admin/secure-view/', self.super_login)
+        # make sure the view removes test cookie
+        self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
+        self.assertContains(post, "{'foo': 'bar'}")
+        self.client.get('/test_admin/admin/logout/')
+                
+        # 8509 - if a normal user is already logged in, it is possible
+        # to change user into the superuser without error
+        login = self.client.login(username='joepublic', password='secret')
+        # Check and make sure that if user expires, data still persists
+        self.client.get('/test_admin/admin/secure-view/')
+        self.client.post('/test_admin/admin/secure-view/', self.super_login)
+        # make sure the view removes test cookie
+        self.failUnlessEqual(self.client.session.test_cookie_worked(), False)